Wednesday

Apr 11, 2018 at 7:04 AMApr 11, 2018 at 7:05 AM

CHICAGO — State lawmakers are considering a proposal that opponents argue would gut protections for data on people's individual biological characteristics, just as the nation's attention turns toward online privacy in the wake of Facebook's massive data exposure scandal.

Illinois' Biometric Information Privacy Act has been called one of the strictest laws of its kind in the nation and has turned the state into a hotbed of lawsuits over alleged misuses of data from facial, fingerprint and iris scans. Privacy experts says protecting that type of information is critical because, unlike a credit card or bank account number, it's permanent.

Supporters of the proposed changes say an update to the 10-year-old law is necessary to keep up with technology. Employers increasingly use biometric timekeeping devices for accurate accounting of workers' hours and tout the scanning of fingerprints or faces as an additional security measure.

Sen. Bill Cunningham, D-Chicago, who is sponsoring the proposal in the Senate, said those uses should be allowed as long as companies are handling the data properly.

"The technology has bypassed what this law was intended to combat," Cunningham said. "We don't want to alter the intent of the original law in any way."

The law currently mandates that companies collecting such information obtain prior consent from consumers or employees, detailing how they'll use the data and how long the records will be kept. It also allows private citizens to sue, while other states let only the attorney general bring a lawsuit.

Companies across a wide range of industries have faced allegations in Illinois involving improper use of biometrics, from tech giants such as Facebook, Google, Snapchat and Shutterfly to Chicago-based United Airlines, grocery company Roundy's and InterContinental Hotels' Kimpton chain.

The Senate proposal would allow companies to collect biometric information on their employees if it is used exclusively for employment, human resources or identification, as well as safety, security or fraud prevention.

That's troubling to Adam Schwartz, a senior lawyer at the San Francisco-based Electronic Frontier Foundation. Currently, employers can take their employees' fingerprints to have them clock in; they just have to notify them first.

That empowers "workers in Illinois to have a say in what their employers are doing with their biometrics," Schwartz said. The proposed change would take away that power.

The Illinois Chamber of Commerce, which launched a technology council earlier this year that is co-chaired by Facebook lobbyist Dan Sachs, supports the proposed changes.

Protecting users' data is important, but the way the law is currently written is placing a burden on employers, said Tyler Diers, director of legislative relations for the Illinois Chamber. Many of the class-action lawsuits stemming from the Biometric Information Privacy Act have been brought against companies that are using biometrics for tasks like timekeeping or security.

"Employers are being sued for minor technicalities of the law," Diers said.

Laws like the one currently in place also can add hoops for companies to jump through and inhibit investment in the state, Diers said. When companies "are looking to expand here, these sorts of laws are on their corporate white papers," he said.

The law already appears to be influencing some product rollouts. Nest, a maker of smart thermostats and doorbells, sells a doorbell with a camera that can recognize visitors by their faces. However, Nest, owned by Google parent Alphabet, does not offer that feature in Illinois because of the biometrics law. Google's Arts & Culture app rolled out a new feature late last year that matched users' uploaded selfies with portraits or faces depicted in works of art, but it's not available in Illinois, likely due to the state's biometric law.

Opponents are concerned that the proposed changes would only require private entities to notify people if their biometric data is to be kept for more than 24 hours. Additionally, the law would only protect biometric data linked to "confidential and sensitive information," such as a driver's license number or Social Security number.

Tying a map of your face to your name is sensitive enough on its own, said Alvaro Bedoya, who runs the Center on Privacy and Technology at Georgetown University Law Center.

Facebook started informing its users Monday about whether political data-mining firm Cambridge Analytica might have gained access to their data. The social media behemoth estimates about 87 million users' data could have been accessed, and it has been promising to increase its privacy protocol since news broke that Cambridge, hired by President Donald Trump's campaign, allegedly used the data in an attempt to influence the 2016 election.

There have been movements to delete Facebook and calls from legislators for the company to do better. Facebook CEO Mark Zuckerberg appeared on Capitol Hill on Tuesday and is set to return Wednesday to testify about online privacy and his company's role in exposing users' data.

The timing of hearings on the proposed changes to Illinois' biometrics law — Wednesday in the Illinois House and Thursday in the Senate — is strange, Bedoya said.

"To be really honest, I think this is just some real chutzpah from the tech industry in the middle of our society having a moment of saying, 'Hey, maybe we've given these tech companies a little too wide of (berth) to do what they want to do,'" he said.

Never miss a story

Choose the plan that's right for you.
Digital access or digital and print delivery.

Sections

Information

Original content available for non-commercial use under a Creative Commons license, except where noted.
The State Journal-Register ~ Street address: One Copley Plaza (corner of Ninth Street and Capitol Avenue), Springfield, ILMailing address: The State Journal-Register, P.O. Box 219, Springfield, IL 62705-0219 ~ Privacy Policy ~ Terms Of Service